There are 175+ tickets resolved with the Spring Security 4.0 release.
Below are the highlights of the new features found in Spring Security 4.0.
Methods with role in them do not require ROLE_ For example, previously the following would be required within XML configuration:
<intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
Now you can optionally omit the ROLE_ prefix. We do this to remove duplication. Specifically, since the expression hasRole already defines the value as a role it automatically adds the prefix if it is not there. For example, the following is the same as the previous configuration:
<intercept-url pattern="/**" access="hasRole('USER')"/>
Similarly, the following configuration:
is the same as this more concise configuration:
@EnableWebSecuritybut still allow it to be overridden
As exploits against applications evolve, so must Spring Security. As a major release version, the Spring Security team took the opportunity to make some non-passive changes which focus on:
For complete details on migrating from Spring Security 3 to Spring Security 4 refer to one of the guides below: